Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22/12/2024, 04:04
Static task
static1
Behavioral task
behavioral1
Sample
Project 88399287990.exe
Resource
win7-20241010-en
General
-
Target
Project 88399287990.exe
-
Size
622KB
-
MD5
3837485b707ee00ae594d8b339c56ece
-
SHA1
df8dab1ca8581cdf2c8de899d0d4a8df8ca8d24c
-
SHA256
71ef3a1c1b5deecad87d419dff14667503ffbfb7f5a16f5b53eda57ae33bde7b
-
SHA512
6a243b10b4e556d4cf6c95f5f7d534f0ec8bd32f6cb5c153abfbdf2dcaa04c6adcb122a42cccb882cee90c98b6d50fc04bb9355f0de7a82a27e615ae10c39ba6
-
SSDEEP
6144:UJ4uZ9l5FllawMqFj/02XzSlGDQNo/vSx2oJrZKhCuKEB96MFZN+4RSOKQm0umL:UJ4up5UwMqFjjU3QMVtuKEn6qq4I
Malware Config
Extracted
formbook
4.1
ksb
rbscotl.net
mimascota10.com
ncylis.com
mariemdonacosmetics.com
elitecleaningnow.com
stockvisioner.com
whatsmodish.com
paghaze.com
weargoodsport.com
alesspace.com
rajputboarding.com
ctezna.site
athetheist.com
neurologistaandreialamberti.com
pindaz.com
ericsklavos.com
icare4me.com
xn--pypl-qoac.com
52swith.com
chetansenterprises.com
partenit.online
palmssport.com
thelostyouthes.com
highfathers.com
gailrichardson.com
grupofrancogomez.com
ahoramuevetuvida.com
mauridep.com
nexthevoice.com
galerie-vivante.com
itkibfuarcilik.com
gabbierais.com
yogasueyoga.com
ohtunida.com
naturesfrequency.com
sexuallegends.com
chesstipster.com
princeofpalermo.com
quicklymarked.com
ormusgem.com
casnop.com
evonnemccrayjackson.com
chilangoentertainment.com
chuteboxema.com
soonrx.com
hisnhersbeautysupplyllc.com
wajuejij.com
mysupremepurpose.com
ensaniat.info
njlicaiwl.com
leadersforconsciouschange.net
thebusinessmanagementclub.com
findmeabus.com
finlab101.com
passionatelycuratedevents.com
colorblindwork.com
growth.run
doriswhite.com
raudlatulmuhibbin.com
lasenesesrl.online
lemstat.com
investoir.com
sawtoothseasonings.com
setuphunter.com
expensiveindia.com
Signatures
-
Formbook family
-
Formbook payload 1 IoCs
resource yara_rule behavioral1/memory/1784-19-0x0000000000400000-0x000000000042E000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1980 powershell.exe 2144 powershell.exe -
Deletes itself 1 IoCs
pid Process 2284 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1956 set thread context of 1784 1956 Project 88399287990.exe 37 PID 1784 set thread context of 1184 1784 Project 88399287990.exe 21 PID 1716 set thread context of 1184 1716 cscript.exe 21 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Project 88399287990.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1292 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 1784 Project 88399287990.exe 1784 Project 88399287990.exe 1980 powershell.exe 2144 powershell.exe 1716 cscript.exe 1716 cscript.exe 1716 cscript.exe 1716 cscript.exe 1716 cscript.exe 1716 cscript.exe 1716 cscript.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 1784 Project 88399287990.exe 1784 Project 88399287990.exe 1784 Project 88399287990.exe 1716 cscript.exe 1716 cscript.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1784 Project 88399287990.exe Token: SeDebugPrivilege 2144 powershell.exe Token: SeDebugPrivilege 1980 powershell.exe Token: SeDebugPrivilege 1716 cscript.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 1956 wrote to memory of 1980 1956 Project 88399287990.exe 31 PID 1956 wrote to memory of 1980 1956 Project 88399287990.exe 31 PID 1956 wrote to memory of 1980 1956 Project 88399287990.exe 31 PID 1956 wrote to memory of 1980 1956 Project 88399287990.exe 31 PID 1956 wrote to memory of 1292 1956 Project 88399287990.exe 33 PID 1956 wrote to memory of 1292 1956 Project 88399287990.exe 33 PID 1956 wrote to memory of 1292 1956 Project 88399287990.exe 33 PID 1956 wrote to memory of 1292 1956 Project 88399287990.exe 33 PID 1956 wrote to memory of 2144 1956 Project 88399287990.exe 35 PID 1956 wrote to memory of 2144 1956 Project 88399287990.exe 35 PID 1956 wrote to memory of 2144 1956 Project 88399287990.exe 35 PID 1956 wrote to memory of 2144 1956 Project 88399287990.exe 35 PID 1956 wrote to memory of 1784 1956 Project 88399287990.exe 37 PID 1956 wrote to memory of 1784 1956 Project 88399287990.exe 37 PID 1956 wrote to memory of 1784 1956 Project 88399287990.exe 37 PID 1956 wrote to memory of 1784 1956 Project 88399287990.exe 37 PID 1956 wrote to memory of 1784 1956 Project 88399287990.exe 37 PID 1956 wrote to memory of 1784 1956 Project 88399287990.exe 37 PID 1956 wrote to memory of 1784 1956 Project 88399287990.exe 37 PID 1184 wrote to memory of 1716 1184 Explorer.EXE 38 PID 1184 wrote to memory of 1716 1184 Explorer.EXE 38 PID 1184 wrote to memory of 1716 1184 Explorer.EXE 38 PID 1184 wrote to memory of 1716 1184 Explorer.EXE 38 PID 1716 wrote to memory of 2284 1716 cscript.exe 39 PID 1716 wrote to memory of 2284 1716 cscript.exe 39 PID 1716 wrote to memory of 2284 1716 cscript.exe 39 PID 1716 wrote to memory of 2284 1716 cscript.exe 39
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Users\Admin\AppData\Local\Temp\Project 88399287990.exe"C:\Users\Admin\AppData\Local\Temp\Project 88399287990.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Project 88399287990.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gIujDCSIo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7011.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1292
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gIujDCSIo.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
C:\Users\Admin\AppData\Local\Temp\Project 88399287990.exe"C:\Users\Admin\AppData\Local\Temp\Project 88399287990.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1784
-
-
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Project 88399287990.exe"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2284
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51aea0842d7145c1a086baabc7831752a
SHA1031e3aaf90906d7b0a597fd27897bd68247d875f
SHA256c9a4d4a223599891060d0a2036081c5a25803474350d3817b15f94ea44a68301
SHA5123af1b587ca64d07e917c6226b250df09ee69922fae2cfd1ee7c801339f0a4a388695ff169715237a733128882ed3e81bb08b960aa3e50c90f8c2dbf9c58a055e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5341331b640710f6beff9db811f46487f
SHA19385b7d8fa778e869d6cf64ded161e20c70e090f
SHA256ddb1c938962898255e4bb1b76220d8fc3ab0692d8a7fef54eb741700d4bcf1a5
SHA5125f5a368edd01b844a971cd0f996f89c7c07beb0466df05ba275734d2e03cfc4cb85de886a3605ecea930754c2f69b7b10d2b2c33d3885b1164adeb64a1eeec9b